On Sun, 28 Nov 2004 10:57:47 +0100, Ben Nagy <ben@iagu.net> wrote:
> [MHawkins]
> > > Antivirus vendors have painted themselves into their own
> > conspiracy theoried
> > > corner by purveying a product that is based on technology
> > that is purely
> > > reactive and for the last ten years they've use one method
> > of protection
> > > thereby enabling other attack vectors to be repeatedly successful.
>
> And this is a bad thing WHY, exactly? AV does a very good job, in general,
> at looking at dodgy things as they enter and leave the filesystem. That was
> the original job of AV and remains the core of the products.

You are referring to host-based AV, of course.

> A firewall, for example, does a generally good job of allowing or declining
> traffic at layer 3/4, but a generally crappy job at looking at layer 7. That
> doesn't mean that firewall vendors are hopeless and that they haven't
> evolved over the last ten fifteen years.

Two words: Fortinet's Fortigate. (No, I do not work for Fortinet. I
work in the IT dept. of a food processing company). I am sure there
are many upper-layer-aware firewalls, but for the price, I haven't
found much competition.

> The problem starts when "the market" start expecting FW+AV to protect them
> from all current threats - well they don't. You may as well get mad at your
> fire alarm when the pipes burst in your roof.

FW+AV in one, works well here.

> At a host level malware is using a bunch of different attack vectors which
> were never in-spec for AV. Worms work by hijacking execution somehow, which
> is all happening in memory, before the AV gets a shot at it. They require no
> user interaction to spread, whereas AV have typically looked at Viruses
> (gasp) which _do_ require user interaction.

Concentrate on the perimeter with upper-layer-aware Firewalls if you
can't rely (we don't) on host-based AV

> Spyware, adware and all those tasty browser malwares work by exploiting the
> security identity of IE, making it impossible for an AV to tell that the
> functions are not what was intended.

Security through obscurity combined with a wee bit of education works
here. You are very pessimistic, sir. :)